lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTinyV_U-uUm0Uz1w0JtKMc0j3Npomwx1BJ2Svrcg@mail.gmail.com>
Date: Tue, 21 Dec 2010 13:21:10 -0800
From: Chris Evans <scarybeasts@...il.com>
To: Victor Rigo <victor_rigo@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
	again!

On Sat, Dec 18, 2010 at 3:30 PM, Victor Rigo <victor_rigo@...oo.com> wrote:

> Let's see, flash is:
>
> - Cross-platform
> - Cross-architecture
> - Has it's own programming language
> - Is embedded on websites
> - Access to javascript to popup, local caches, etc.
>
> It's not ineptness, it's what you get when you right software that can
> actually do stuff.
>
> If Java applets were still the hip thing, you'd see the same thing about
> that.
>
> Victor Rigo, CISSP


This insight reminds me, I really must get around to going up for my CISSP.


>

Computer Security Consultant
> +5411-4316-1900
> Buenos Aires, Argentina
>
> --- On *Sat, 12/18/10, Jeffrey Walton <noloader@...il.com>* wrote:
>
>
> From: Jeffrey Walton <noloader@...il.com>
> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
> again!
> To: "Maciej Gojny" <vuln@...ko-security.com>
> Cc: full-disclosure@...ts.grok.org.uk
> Date: Saturday, December 18, 2010, 5:53 PM
>
>
> On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny <vuln@...ko-security.com<http://mc/compose?to=vuln@ariko-security.com>>
> wrote:
> > hello full disclosure!
> >
> > After six months from the first contact with Adobe security team,
>  important
> > adobe.com subdomain is still vulnerable to SQL injection attacks. We
> hope
> > that this time, serious people will try to solve the problem.
> There's a reason Adobe is the most attacked software [1,2], and its
> probably because they write the most vulnerable software (or
> adversaries are looking for a challenge, which seems less intuitive
> and highly unlikely to me).
>
> It appears "insecurity" is an enterprise wide practice, and not just
> limited to their software.
>
> Jeff
>
> [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>
> [2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
> http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ